Pass helper may ignore GPG key absence

[serious-angel]

Dear Developers,

Thank you for the awesome project!

Issue

For some reason, pass helper may result in error when trying to docker push:

denied: requested access to the resource is denied

There is no other error message shown even if docker login returns "Login Successful" called just prior a pushing.

The issue is that the helper probably does not respect the non-zero exit code returned from pass, that is also shown in the strace:

...
epoll_ctl(4, EPOLL_CTL_DEL, 3, 0xc0000d5724) = 0
close(3)                                = 0
epoll_ctl(4, EPOLL_CTL_DEL, 9, 0xc0000d5724) = 0
close(9)                                = 0
epoll_ctl(4, EPOLL_CTL_DEL, 11, 0xc0000d5724) = 0
close(11)                               = 0
--- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=6150, si_uid=1000} ---
rt_sigreturn({mask=[]})                 = 0
waitid(P_PID, 6156, {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=6156, si_uid=1000, si_status=0, si_utime=0, si_stime=0}, WEXITED|WNOWAIT, NULL) = 0
futex(0x5d73a0, FUTEX_WAKE_PRIVATE, 1)  = 1
wait4(6156, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, {ru_utime={tv_sec=0, tv_usec=7522}, ru_stime={tv_sec=0, tv_usec=26082}, ...}) = 6156
sched_yield()                           = 0
futex(0x5d72b8, FUTEX_WAKE_PRIVATE, 1)  = 0
epoll_pwait(4, [], 128, 0, NULL, 0)     = 0
epoll_pwait(4, [{events=EPOLLOUT, data={u32=1010302978, u64=9167000871277953026}}], 128, -1, NULL, 0) = 1
epoll_pwait(4, [], 128, 0, NULL, 0)     = 0
epoll_pwait(4, [{events=EPOLLOUT, data={u32=994050050, u64=9167000871261700098}}], 128, -1, NULL, 0) = 1
epoll_pwait(4, [], 128, 0, NULL, 0)     = 0
epoll_pwait(4, [{events=EPOLLOUT, data={u32=1042808835, u64=9167000871310458883}}], 128, -1, NULL, 0) = 1
epoll_pwait(4, [], 128, 0, NULL, 0)     = 0
epoll_pwait(4, [{events=EPOLLIN, data={u32=1026555906, u64=9167000871294205954}}], 128, -1, NULL, 0) = 1
futex(0x5d73a0, FUTEX_WAKE_PRIVATE, 1)  = 1
read(10, "gpg: decryption failed: No secret key\n", 512) = 38
read(10, 0xc0001b4026, 986)             = -1 EAGAIN (Resource temporarily unavailable)
epoll_pwait(4, [], 128, 0, NULL, 0)     = 0
epoll_pwait(4, [{events=EPOLLHUP, data={u32=1026555906, u64=9167000871294205954}}, {events=EPOLLHUP, data={u32=961544194, u64=9167000871229194242}}], 128, -1, NULL, 0) = 2
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=6164, si_uid=1000, si_status=2, si_utime=0, si_stime=2} ---
rt_sigreturn({mask=[]})                 = 2
futex(0xc000080148, FUTEX_WAKE_PRIVATE, 1) = 1
read(8, "", 512)                        = 0
epoll_ctl(4, EPOLL_CTL_DEL, 8, 0xc0000345e4) = 0
close(8)                                = 0
futex(0xc00003e548, FUTEX_WAKE_PRIVATE, 1) = 0
write(1, "exit status 2: gpg: decryption failed: No secret key\n\n", 54) = 54
exit_group(1)                           = ?
+++ exited with 1 +++

exit status 2: gpg: decryption failed: No secret key

So, in the case the password store is currently locked, Docker usage with such credentials is probably impossible.

Solution

A solution is to "cache" the GPG key via pass show with gpg-agent, for example, and call docker push immediately afterwards:

Question

Is that an intended behavior?

---

Best and kind regards ✨